Since F5's BIG-IP is part of the SSL/TLS session, it protects application, maintaining high encryption performance, even with large RSA key sizes and the most secure codes such as PFS.
“Low and slow” attacks on encrypted traffic (HTTP over SSL /TLS) are not detectable by most DDoS mitigation devices (or services), since to handle that they need A) symmetric traffic; B) hardware for SSL decryption; and C) the private encryption keys of the website.
Although they meet the above requirements, DDoS mitigation devices that operate in bridge mode, They cannot deal with Perfect Forward Secrecy (PFS) encryption, forcing websites to use older, less secure encryption codes, affecting the website's security level and increasing risks.
ALTERNATIVES
- Do nothing and hope for the best
- The services Detection and protection against L7 in encrypted traffic offered by SP or cloud solutions require private encryption keys. Providing these keys to third parties may violate the service's security or privacy policies.